TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
449
Signature Description: The API Srv_paraminfo(), which is implemented by Extended Stored Procedures (XPs) in
Microsoft SQL Server and Data Engine, is susceptible to a buffer overflow vulnerability which may cause the
application to fail or arbitrary code to be executed on the target system depending on the data entered into the buffer.
XPs are DLL files that perform high level functions in SQL Server. When called, they invoke a function called
Srv_paraminfo() to parse the input parameters.<br><br>A vulnerability lies in Srv_paraminfo() and the fact that it does
not check the length of the parameter string that an XP passes to it. If an attacker can pass an overly long string to the
XP xp_peekqueue, a buffer overflow can occur due to an unsafe memory copy. This can cause SQL Server to crash,
and attackers may be able to execute arbitary shell code on the host running the SQL server. The minimum privilege
level that the account would have to possess are SYSTEM privileges. This vulnerability is confined to those who can
successfully log onto the SQL server.
Signature ID: 12072
MS-SQL xp_printstatements buffer overflow
Threat Level: Information
Industry ID: CVE-2000-1086
Bugtraq: 2041
Signature Description: The API Srv_paraminfo(), which is implemented by Extended Stored Procedures (XPs) in
Microsoft SQL Server and Data Engine, is susceptible to a buffer overflow vulnerability which may cause the
application to fail or arbitrary code to be executed on the target system depending on the data entered into the
buffer.XPs are DLL files that perform high level functions in SQL Server. When called, they invoke a function called
Srv_paraminfo() to parse the input parameters.<br><br>A vulnerability lies in Srv_paraminfo() and the fact that it does
not check the length of the parameter string that an XP passes to it. If an attacker can pass an overly long string to the
XP xp_printstatements, a buffer overflow can occur due to an unsafe memory copy. This can cause SQL Server to
crash, and the attacker may execute arbitary code on the host running SQL server. The minimum privilege level that the
account would have to possess are SYSTEM privileges. This vulnerability is confined to those who can successfully
log onto the SQL server.
Signature ID: 12073
MS-SQL xp_proxiedmetadata buffer overflow
Threat Level: Severe
Industry ID: CVE-1999-0287 CVE-2000-1087 CVE-1999-0467 Bugtraq: 2024
Signature Description: Extended stored procedures is a mechanism by which a database query can result in a call into a
function. It can be called by any client component that can issue a normal SQL Server query. xp_proxiedmetadata
procedure available in xprepl.dll is vulnerable to buffer overflow vulnerability. When an overly long string is send to
the second parameter of xp_proxiedmetadata will cause an access violation and overwrite the exception handler's saved
return address. By exploiting this attacker can gain unauthorized access to the vulnerable system. Patch is available and
refer MS00-092 to resolve this issue.
Signature ID: 12074
MS-SQL xp_reg* - registry access
Threat Level: Information
Industry ID: CVE-2002-0642
Bugtraq: 5205
Signature Description: A vulnerability exists in SQL Server 2000 that may allow an attacker to execute SQL Server
with elevated privileges. This is a result of incorrect permissions placed upon the SQL Server Service Account Registry
Key. An attacker who is able to load and execute queries on SQL Server may be able to cause SQL Server to change
permissions for its associated registry key. This rule detects the attempt to access xp_reg* registry using SQL.
Signature ID: 12075
MS-SQL xp_showcolv buffer overflow
Threat Level: Information
Industry ID: CVE-2000-1083
Bugtraq: 2038